1. Home
  2. Software
  3. Wevtutil

Wevtutil

Wevtutil is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.[1]

ID: S0645
Type: TOOL
Platforms: Windows
Contributors: Viren Chaudhari, Qualys; Harshal Tupsamudre, Qualys
Version: 1.3
Created: 14 September 2021
Last Modified: 12 May 2026
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Wevtutil can be used to export events from a specific log.[1][2]
Enterprise T1685 .001 Disable or Modify Tools: Disable or Modify Windows Event Log

Wevtutil can be used to disable specific event logs on the system.[1]
.005 Disable or Modify Tools: Clear Windows Event Logs

Wevtutil can be used to clear system and security event logs from the system.[1][3]

Groups That Use This Software

ID Name References
G0007 APT28

[3]
G0143 Aquatic Panda

Aquatic Panda uses Wevtutil to extract Windows security event log data from victim machines.[4]
G1017 Volt Typhoon

[5][6]
G1040 Play

[7]
G0129 Mustang Panda

Mustang Panda has leveraged Wevtutil to gather information about usernames and Windows Security Event logs.[8]
G1054 MirrorFace

[9]

Campaigns

ID Name Description
C0014 Operation Wocao

During Operation Wocao, threat actors used Wevtutil to delete system and security event logs with wevtutil cl system and wevtutil cl security.[10]

References

  1. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  2. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  3. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  4. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  5. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  1. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  2. Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024.
  3. Lior Rochberger, Tom Fakterman, Robert Falcone. (2023, September 22). Cyberespionage Attacks Against Southeast Asian Government Linked to Stately Taurus, Aka Mustang Panda. Retrieved September 9, 2025.
  4. Tomonaga, S. (2024, July 16). MirrorFace Attack against Japanese Organisations. Retrieved April 17, 2026.
  5. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.